Dive Brief:
- Ronald Ross, NIST fellow, recently said the organization is about to publish new best practices for hospitals to enhance cybersecurity efforts.
- NIST currently offers a cybersecurity framework it developed for the federal government to help understand, select, and then implement security controls.
- However, healthcare organizations are unable to control operating systems or databases and can only keep provided patches from vendors like Microsoft, Healthcare IT News reported.
Dive Insight:
Ross explained the organization is focused on reducing the complexity of systems security engineering and the new guidance will include best practices for developing secure software and systems. As hospitals add new systems or devices, each one provides another entry for a potential cyberattack.
NIST requested comments on its cybersecurity framework back last December and Association for Executives in Healthcare Information Security and the College of Healthcare Information Management Executives (CHIME) said in a joint letter the framework should be more detailed and regularly updated. HIMSS wrote another letter to NIST in February urging the organization to keep the Framework for Improving Critical Infrastructure voluntary for healthcare organizations.
A 2015 report by the Ponemon Institute, a security research firm, found that close to 90% of healthcare providers were hit by cyberattacks in the previous two years and an average data breach costs a hospital $2.1 million, as reported by the Insurance Journal.
The guidance couldn't come at a better time as cybersecurity incidents at hospitals have been making mainstream media headlines lately, notably when Hollywood Presbyterian Medical Center paid hackers $17,000, to regain control of their systems and the FBI releasing a media statement noting ransomware is a growing threat and resulted in reported losses of more than $24 million last year.
Ross did not give an exact release date for the guidance.